Decoding HID proximity cards

Do you manage a card-key system?

I do. And until recently, I've been buffaloed by being unable to integrate cards (and key fobs) from other systems into our own.

Well, I've recently learned how to do this, and I'm writing it up to share it with you. I hope it helps. When I went googling for information on this, I couldn't find anything useful.

The system I manage uses Ademco Passpoint Plus. I believe that Ademco was absorbed by Honeywell a while ago, and I've lately had trouble finding much Ademco branded information online.

Getting down and dirty - card codes in HEX

There are lots of different "formats" for these cards, but it seems that all the cards my system can detect produce a "card id" which is an 8-byte string. When I look at this in "raw format" it is show as 16 hex characters like this:

0123-4567-89AB-CDEF

The following information has been gleaned from observation and experimentation, and may be incorrect in some detail, but it is close enough for me to work with. If you have more or better information, please let me know so I can correct this post.

Digits 0 through 3 identify the "card type". Depending on the card type, the remaining digits are parceled out into various fields with cryptic names, like "RCM code" "facility code" and "card stamp". RCM codes and facility codes seem to exist solely to allow batches of related cards to be managed without having to manage all the bits that make up the total card code.

Card stamp is the last 4 or 5 hex digits; the 26-bit formats use 4, and the 34-bit formats use 5.

Facility Code, RCM code

The RCM code and facility code occupy varying parts of the remaining bits; some of the formats convert cleanly from hex to decimal and some I haven't figured out yet.

My system recognizes a number of card types including (with their corresponding values):

26 bit raw card image (0000)

26 bit Wiegand NCC (8101)

26 bit prox ncc (8201)

26 bit mag stripe ncc (8301)

34 bit raw ADEMCO prox (0000)

34 bit ADEMCO Prox NCC (8206)

ABA TRACK II Mag Stripe - format C (C000)

ABA TRACK II Mag Stripe - format D (D000)

ABA TRACK II Mag Stripe - format E (E000)

ABA TRACK II Mag Stripe - format F (F000)

EMPI-II Wiegand NCC (8105)

EMPI-II Prox NCC (8205)

EMPI-II Mag Stripe NCC (8305)

34 bit Northern Wiegand NCC (8107)

34 bit Northern Prox NCC (8207)

34 Bit Northern Mag Stripe NCC (8307)

Each card format has its own rules for what to do with the digits that aren't the "card stamp," but the card stamp seems to consistently be in the last 4 or 5 digits of the code.

My system also supports a "raw code image" format that lets you enter a RAW card code, so if you know a card's code but you can't decode the card format and other fields, you can still enter the card and manage it like any other card.

The images above are related; the raw card code "8206-EFFF-0000-FFFF" shown above is related to the details in the next image; the image shows a 34 bit ADEMCO Prox NCC (8206), with RCM code 14 (E) and Facility code 4095 (FFF). The third group of four digits is unused, and the card code/card stamp for this card is 65535 (FFFF), although it's not show in any of these images.

What do you do with an unknown card?

So you have a card from a foreign system, and you don't know the card type or any of the other fields you need to make it work. How do you get the information you need?

There are a number of choices depending on your situation. If your card key system includes an "enrollment reader" you can use that to swipe cards and automatically add them to your system. Unfortunately, my system does NOT have an enrollment reader, so I needed another solution.

In my Passpoint's "System Administration Options" menu (pull down "Config" and select "Admin") there is an option "Denial Override." When selected, it has two effects. First of all, this is dangerous to leave active for any period of time, because "Denial override" is what this does; any card swipe will open the door, even an unknown card... do don't leave this setting activated! The other effect it has, though, is to include the card code in the message log, so it's easy to capture the code for an unknown card.

So, to use an unknown card:

1) swipe it on a reader. If the reader doesn't beep, it is incompatible with the system.

2) on the Passpoint control station, set the "denial override" feature, and upload the changes to the MLB

3) swipe your unknown cards and record the card codes from the log

4) turn off "denial override" and upload the change to the MLB

5) create new card records for your unknown cards. If you can decode the card type and other fields, great. If not, just use the RAW card type, and put in the full card code reported when you had "denial override" active.

6) upload the new cards to the MLB, and test.

WooHoo!

Easy hex conversions

If you have trouble converting between decimal and hex in your head, there's a very simple tool already installed on most computers that will do this for you.

The calculator program included with MS Windows knows how to do base conversions. Rather than re-invent the wheel here, though, I'll refer you to

another article that covers this topic. I just wanted to mention it here, in case you as a reader were wondering where to get an easy hex-to-decimal converter, or vice versa.

If you've found this to be useful...

Please consider a donation to Rescue Animal Placements, an animal rescue organization that could really use your support, or your local animal shelter.

Your comments, please...

No HTML is allowed in comments, but URLs will be hyperlinked. Comments are not for promoting your articles or other sites.

sending

fatboy1271

15 months ago

So the HID 1326 cards do beep on my system. I've entered the Facility Code that I was given; yet, when I try out the card WinDSX does not show anything at all on the screen regarding the card... If I use a FOB without a name attached it will show the card number. If I use a FOB that isn't programmed to a reader it will say Access Denied. These new 1326 cards don't kick back any messages.

fatboy1271

15 months ago

So it can be safely assumed that no beep absolutely means incompatible card?

anonymous

3 years ago

Thank you for posting this information. You saved me time and for that Sir you are awesome!

Jeff

3 years ago

Thanks, this helped me add the cards we had to order from Amazon since our security company wouldn't sell any to us since "our system is too old!"

AUTHOR

mcs610

5 years ago

@anonymous: So glad this was helpful. Maybe I should publish a separate guide for migrating off Passpoint, since it has been discontinued for so long!

anonymous

5 years ago

@mcs610: ^^ This just saved my life. I needed to export data to migrate to a totally new system, and you have revealed to me that "debug interactive" actually means "Open Query Builder"! All this time I didn't know. *sigh* Thank you!

AUTHOR

mcs610

5 years ago

@anonymous: In Passpoint, pull down "Tools" and select "Reporting."

In the passpoint reporter, select the report "Cardholders (all)" and select the "debug interactive" mode. Click the "Run Report" button, which will open the MK Query Builder screen. Assuming you need the card codes in the export, in the data structure under "Cards" double-click on "CardCode" to add it to the field list. Now click the "Lightning bolt" icon to run the query. After the query runs, you'll see some of your results. One of the icons at the bottom is for "Export" ... click that, select the fields you want to export, then the format you want to export into (probably Excel DDE in your case), then click Export. Voila, a spreadsheet with your cardholders and their card codes. It sounds confusing without pictures, let me know if you need more details.

anonymous

5 years ago

We are changing out a passpoint system to a Keri door control since we can't get replacemnt parts for the honeywell system. we need to export the card data to an excel format to reenter the data in the Keri application. do you know how we can get this accomplished. jerry D. comtecsecurity@verizon.net

AUTHOR

mcs610

6 years ago

@anonymous: The *only* information in one of these prox cards is a serial number. All the data about what was done with the card is accumulated in the systems that read the serial number. You can't alter or erase the serial number that's burned into the chip. By bending a prox card you CAN make it stop working, by breaking the wire that's inside it. There's a coil of wire that goes almost along the perimeter of the card, when you wave it in front of a reader, a magnetic field in the reader induces current in the card, which powers the chip inside and lets it respond with its code.

anonymous

6 years ago

DigiOn24.com offers a prox encoder and cards that can be programmed and re-programmed as needed

anonymous

6 years ago

Can I erase the information on it or deactivate it with out a card reader/programmer? Eg* rubbing it against a strong magnet or bending/flexing it

AUTHOR

mcs610

6 years ago

@anonymous: An interesting concept, I hope they improve their site. There seems to be no pricing or availability information online.

anonymous

6 years ago

I have an old Northern system (very old!) when I swipe card on a reader attached to my PC I get " %E? " (minus the quotes of course)

how can I decode this? I have another system that I have figured out and want to use same card for boths systems if I can figure out the Northern System

Here you set the priority level for each message passpoint generates, and what to do with it (display, display and log, etc). You might want to look for message "acc deny ovr unkn" and "egr deny ovr unkn" to make sure they have some priority other than "none"

anonymous

8 years ago

@anonymous: here's the event view, see my admin options edited when i check denial override, then i swiped the card a few times and nothing appears.

It would be nice to find or form an active user group for tips and troubleshooting PassPoint issues.

AUTHOR

mcs610

9 years ago

[in reply to Mike] Thanks for letting me know this was useful to you. That's exactly why I wrote it, and I'm glad to know that even a year later, it's still helping someone here and there.

anonymous

9 years ago

You saved me a lot of time and frustration with adding some older cards to our system. THANKS!

anonymous

9 years ago

I can't tell you how much time this saved me. My cards actually came from our security company and getting assistance from them is like pulling teeth. Here are the specifics on the type card I had my problems with:

Card Tech is 26 Bit Prox NNC.

The raw code looks like:

8201-0000-blah-blah

the third and forth set are the keys.

The Third set is the hex value for the facility code.

The Forth set is the hex value for the card stamp.

Never would have figured this out without your help. I'd treat you to a drink if I could.

AUTHOR

mcs610

10 years ago

I hope you found this useful. Let me know if there's anything I can add to help you more.

This website uses cookies

As a user in the EEA, your approval is needed on a few things. To provide a better website experience, hubpages.com uses cookies (and other similar technologies) and may collect, process, and share personal data. Please choose which areas of our service you consent to our doing so.

This is used to display charts and graphs on articles and the author center. (Privacy Policy)

Google AdSense Host API

This service allows you to sign up for or associate a Google AdSense account with HubPages, so that you can earn money from ads on your articles. No data is shared unless you engage with this feature. (Privacy Policy)

This is used for a registered author who enrolls in the HubPages Earnings program and requests to be paid via PayPal. No data is shared with Paypal unless you engage with this feature. (Privacy Policy)

Facebook Login

You can use this to streamline signing up for, or signing in to your Hubpages account. No data is shared with Facebook unless you engage with this feature. (Privacy Policy)

Maven

This supports the Maven widget and search functionality. (Privacy Policy)

We may use remarketing pixels from advertising networks such as Google AdWords, Bing Ads, and Facebook in order to advertise the HubPages Service to people that have visited our sites.

Conversion Tracking Pixels

We may use conversion tracking pixels from advertising networks such as Google AdWords, Bing Ads, and Facebook in order to identify when an advertisement has successfully resulted in the desired action, such as signing up for the HubPages Service or publishing an article on the HubPages Service.

Statistics

Author Google Analytics

This is used to provide traffic data and reports to the authors of articles on the HubPages Service. (Privacy Policy)

Comscore

ComScore is a media measurement and analytics company providing marketing data and analytics to enterprises, media and advertising agencies, and publishers. Non-consent will result in ComScore only processing obfuscated personal data. (Privacy Policy)

Amazon Tracking Pixel

Some articles display amazon products as part of the Amazon Affiliate program, this pixel provides traffic statistics for those products (Privacy Policy)